Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
11-28-2005, 05:16 AM
|
#1
|
|
Member
Registered: Aug 2004
Posts: 210
Rep: 
|
getting pid of iptables!!
Hi to all,
i would like to know how to get the pid of iptables which is running on a machine. I want to know what %CPU is it using? I tried with the top command but got only a long list of pids and other stuffs..
Is there a better way to know this?
Warm regards,
Visham
|
|
|
|
|
11-28-2005, 07:12 AM
|
#3
|
|
Member
Registered: Apr 2004
Location: Europe
Distribution: Debian, Slackware
Posts: 505
Rep:
|
Iptables is only used to control the kernel's packet filtering. It only runs when you set or modify your rules with it, after which it terminates. It's the kernel itself that does the actual filtering. So actually iptables runs only a very brief time, it doesn't really consume your system resources (or at least the amount is insignificant).
Last edited by alienDog; 11-28-2005 at 07:14 AM.
|
|
|
|
|
11-29-2005, 12:09 AM
|
#4
|
|
Member
Registered: Aug 2004
Posts: 210
Original Poster
Rep:
|
Hi to all,
Quote:
|
ps -p (list process by PID)
|
I did check this but i didn't find that of iptables process...how is it called? Do you find it on your system? If it's the kernel that does the filtering, then under what kernel process name does it come?
Quote:
|
So actually iptables runs only a very brief time, it doesn't really consume your system resources (or at least the amount is insignificant).
|
When i use the "top" command, i get values for user, system, idle...in which of these categories will the iptables process fall (user or system?)? How can I know the % of CPU usage of the packet filtering process?
Many thx for your repiles..
Warm regards,
Visham |
|
|
|
|
11-29-2005, 01:13 AM
|
#5
|
|
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290
|
As was said above, iptables is just a frontend for the netfilterstuff that runs in the kernel. It is not its own process. I'm not sure if there's any really good way to get performance stats for it. In recent kernels that support kprobes I imagine you could work up something that would give you performance metrics, but beyond that I'm not sure if there's a way. As a general rule, unless you have a really large (hundreds or thousands of rules) the overhead of packet filtering is next door to nothing.
Beyond that I'm just not sure, although doiung a Google search for iptables performance measuring shows some results that may be helpful.
|
|
|
|
|
11-29-2005, 11:08 AM
|
#6
|
|
Member
Registered: Apr 2004
Location: Europe
Distribution: Debian, Slackware
Posts: 505
Rep:
|
Quote:
Originally posted by btmiller
Beyond that I'm just not sure, although doiung a Google search for iptables performance measuring shows some results that may be helpful.
|
Actually it's netfilter performance measurings that you're looking for, of course 
--edit--
Maybe this would be helpful: http://people.netfilter.org/kadlec/nftest.pdf
Last edited by alienDog; 11-29-2005 at 11:24 AM.
|
|
|
|
|
12-01-2005, 01:37 AM
|
#7
|
|
Member
Registered: Aug 2004
Posts: 210
Original Poster
Rep:
|
To Aliendog: Many thx for the link..really interesting document...and yes you are right, it's the performance of netfilter that i'm looking for.
I tried using top command (top -b -d 1 > /etc/file1) and stored the outputs in a file.
I found that the % for system increased during the filtering and i'm using this as performance results.
What do you think sbt it?
Regards,
Visham
|
|
|
|
|
12-01-2005, 03:24 PM
|
#8
|
|
Member
Registered: Apr 2004
Location: Europe
Distribution: Debian, Slackware
Posts: 505
Rep:
|
How big increase are you talking about and with what kind of ruleset?
|
|
|
|
|
12-01-2005, 09:32 PM
|
#9
|
|
Member
Registered: Aug 2004
Posts: 210
Original Poster
Rep:
|
Fo the ruleset i simply put 1000 rules in the filter table of the forward chain. For example:
/sbin/iptables -A FORWARD -i eth0 -o eth0 -s 192.167.10.1 -d 192.125.10.99 -j ACCEPT
I changed the src & dst ip addresses to get 1000 rules. I'm using a restrictive iptables firewall, with all policies set to drop. Then i place the rule that will accept the packet last.
When I have 1000 rules, I get a maximum increase of 78.4 % (on avr it's 50%)
When I have 2000 rules, I get a maximum increase of 95.5 % (on avr it's 90%)
Before filtering began, the % system CPU usage was 0.3 and 0.5 respectively.
I used top -b -d 1 > /home/file1 to get the results. Is there a way to get only the value for %system rather than the whole lot of porcess names and the other unwanted details?
Any comments on the results will be very much appreciated..
Warm regards,
Visham
|
|
|
|
|
12-02-2005, 07:30 AM
|
#10
|
|
Member
Registered: Apr 2004
Location: Europe
Distribution: Debian, Slackware
Posts: 505
Rep:
|
So your cpu usage for system is up to 95.5% with 2000 rules in the table or you get an increase of 95.5% (which would make your cpu usage% about 1.0)? Prior case would sound a lot to me, but I guess it's possible if the machine that you're using as a firewall is an old one and there is a lot of network traffic.
For filtering out unwated information from top's output you could simply use grep:
top -b -d 1 | fgrep 'cpu(s):' > /etc/file1
|
|
|
|
|
12-02-2005, 10:28 AM
|
#11
|
|
Member
Registered: Aug 2004
Posts: 210
Original Poster
Rep:
|
Quote:
|
So your cpu usage for system is up to 95.5% with 2000 rules in the table or you get an increase of 95.5%
|
The CPU usage for system reaches a max of 95.5%..made a mistake in saying a max increase of 95.5%. ;-)
Quote:
|
guess it's possible if the machine that you're using as a firewall is an old one and there is a lot of network traffic
|
I'm actually using a P4, 256 MB Ram. I used iperf to generate TCP traffic, with a window size of 214KB.
MAny thx for the fgrep command hint..i thought of using grep but didn't know how to formulate the command for getting the values of the "% system" only.
Regards,
Visham
Last edited by vishamr2000; 12-02-2005 at 11:03 AM.
|
|
|
|
All times are GMT -5. The time now is 09:49 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
